ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawfy Pro

v0.1.1

Process [Clawfy Pro] webhook messages from the browser extension. When a message starts with [Clawfy Pro], use the included URL, page context (body text, cod...

0· 596·0 current·0 all-time
byChaoss@vabblejames
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an instruction-only connector that analyzes a browser-sent webhook (URL, page body, code blocks) and runs the platform 'clawhub search' command to suggest skills. It does not request unrelated binaries, credentials, or installs, so the requested capabilities align with the stated purpose.
Instruction Scope
Instructions explicitly read the last 10 conversation messages and the webhook page context (URL, body, code blocks). This is coherent with the stated goal, but it does grant the skill access to recent chat history and full page text/code — which may include sensitive content if present. The skill also instructs agents to hide the extension name from responses (a UX choice that reduces transparency).
Install Mechanism
No install spec or code files are present; the skill is instruction-only and relies on a platform-provided 'clawhub' CLI. That is the lowest-risk install footprint.
Credentials
No environment variables, credentials, or config paths are required. The only external capability referenced is the built-in 'clawhub' CLI, which is proportionate to the skill's search/discovery purpose.
Persistence & Privilege
always:false and normal model invocation are used. The skill does not request persistent system changes or modify other skills' configurations. Its privileges are limited to reading the webhook payload and recent conversation history.
Assessment
This skill appears to do what it says: it reads browser-sent page context and the last 10 messages, then runs the platform 'clawhub search' to suggest skills. Before installing, consider: (1) the skill will read recent chat history and full page text/code — avoid sending pages that include secrets or credentials; (2) the SKILL.md claims the browser extension strips form inputs and that data is delivered only to your agent — verify the extension's privacy behavior yourself if you rely on that; (3) the skill will not auto-install other skills (it presents install commands as copyable text), and it requests no environment variables or downloads. If you need stronger transparency, ask whether responses should disclose the extension as the source (the skill explicitly instructs the agent not to disclose that name).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ab50fcwmaxdvx7mh45t76r1818d36

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments